The DNS (Domain Name System): An Introduction

1. Task......................................................................................................................... 1 2. DNS structure .......................................................................................................... 1 3. Domain structure .................................................................................................... 2 4. Delegation............................................................................................................... 2 5. What is a zone?....................................................................................................... 3 6. Root NS................................................................................................................... 3 7. Resolver................................................................................................................... 4 8. Name server ............................................................................................................ 5 8.1 Primary NS & Secondary NS ............................................................................... 5 8.2 Caching NS and recursive queries....................................................................... 6 9. The zone file............................................................................................................ 7 9.1 SOA (Start of Authority)..................................................................................... 7 9.2 Resource records................................................................................................ 8 9.3. The @ symbol.............................................................................................. 10 10. Reverse mapping................................................................................................. 10 11. Tools ................................................................................................................... 12 12. Special features of gTLD domains........................................................................ 13

1. Task
The Domain Name System assigns a name (a domain) that is easy for people to remember to a number (IP) used for a machine.

2. DNS structure
The DNS is absolutely hierarchical and is thus always organised top down from the root.

Version 1.0, 01/15/04 1&1 Internet Inc.

3. Domain structure
In contrast to the normal convention of reading in the western world, a domain is read from right to left and can be divided by one or more . (dots) into labels containing a maximum of 63 characters each. According to RFC 2181 the maximum allowable length of a complete domain including separating dots amounts to 255 characters.

4. Delegation
One of the basic ideas behind the introduction of the DNS was to create as decentralised a structure as possible, resistant as possible to disruptions. The bulk of this idea is achieved by passing on responsibility for domains to different name servers. This is referred to as delegation. The result of this is that no single name server (which would be a very easy target for attacks) is responsible for all domains, but that the responsibility for each individual do main can be delegated from each higher-level domain to other name servers following the top down principle.

Delegating a domain to name servers that have no authoritative information on the domain is referred to as lame delegation.

Version 1.0, 01/15/04 1&1 Internet Inc.

5. What is a zone?
Zones can be created by delegating a domain to other name servers. A zone thus contains all information about a complete domain or certain parts of it. An example of this is the domain www.1and1.com. In this case the 1and1 subdomain lying within the com zone was delegated to the name servers ns27.1and1.com and ns28.1and1.com. The administrator of the 1and1.com zone then entered an additional www subdomain to improve accessibility to the Web server. Because this subdomain was not delegated to a new name server, but was created within the 1and1 zone, the www.1and1.com domain is created which lies in the 1and1 zone and for which ns27 and ns28.1and1.com are the authoritative name servers (see section 8).

6. Root NS
There are currently 13 root servers worldwide with all but 3 located in the USA. A.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 4d39m53s IN A 198.41.0.0/24 128.9.0.0/16 192.33.4.0/24 128.8.0.0/16 192.203.230.0/24 192.5.5.0/24 192.112.36.0/24 128.63.0.0/16 192.36.148.0/24 192.58.128.0/24 193.0.14.0/24 198.32.64.0/24 202.12.27.0/24

A.ROOT-SERVERS.NET is given the special task of serving as the Primary Root NS, providing authoritative data for the other 12, the Secondary Root NS. The top-level domain zones .edu, .gov and .mil are currently administered on A.ROOT-SERVERS.NET. In addition, it also contains root server information for all other top-level domains delegated worldwide.

Version 1.0, 01/15/04 1&1 Internet Inc.

This means that in order to be available in the worldwide DNS a top-level domain must be registered in this root server for resolution to work. The latest entries were made during 2001, introducing the toplevel domains .info, .biz, .name and .museum.

7. Resolver
A resolver is an operating system component present on every TCP/IP-compatible network computer that handles communication between different network applications such as a Web browser and the name server assigned to it.

Version 1.0, 01/15/04 1&1 Internet Inc.

8. Name server
In principle a difference is made between authoritative and non-authoritative behaviour of name servers. Authoritative name servers are responsible for one domain and can return a response based on locally stored domain information, while non-authoritative name servers must query an authoritative name server in order to resolve a domain query into an IP. The basic scheme for resolving an address is best described using the following illustration:

8.1 Primary NS & Secondary NS

When a domain is registered it is normally delegated to a minimum of two and a maximum of 13 name servers. The prospect of delegation to all 13 name servers begs the question of how synchronisation is handled. This task is managed by a Primary NS serving as a master that always caches the original data and up to 12 other name servers that make use of the data from the Primary NS. Modification to domain data in one of the secondary name servers has only a local impact and does not result in modification to the domain data on all delegated name servers. In spite of these great differences the response behaviour of all of these authoritative name servers is identical, making it impossible to detect whether the responding name server is a primary or secondary name server.

Version 1.0, 01/15/04 1&1 Internet Inc.

8.2 Caching NS and recursive queries

Caching and recursive queries are name server settings that come to bear only when a name server is used to resolve a domain not delegated to this name server. Caching means that a name server retains (caches) zone information for a queried domain and passes on a query directed to it for the length of time specified by a particular entry in the zone file. As a rule this period of time is eight hours. The recursive query option causes the name server to make inquiries until it can resolve the queried domain or determine that it does not exist. A name server that is not configured for this option simply gives a response based on the domains entered in it. This of course loses its relevance because it cannot be assumed that a negative response means that it is still not possible to resolve the domain.

Version 1.0, 01/15/04 1&1 Internet Inc.

9. The zone file

The zone file could be referred to as the brains of a zone because it contains all necessary information for a zone. begin zone file 1and1.com --------------------------------------------@ IN SOA ns27.1and1.com. hostmaster.1and1.com. ( 2001100201 ; serial 8H ; refresh 2H ; retry 1W ; expiry 11h6m40s ) ; minimum ns27.1and1.com. ns28.1and1.com. 217.160.232.1 10 mx00.1and1.com. 10 mx01.1and1.com.

IN NS IN NS IN A IN MX IN MX ...

end zone file 1and1.com --------------------------------------------A difference can be made between two different types of information here: the SOA values contain information about handling the zone file itself, all other entries, the resource records describe particular capabilities of a domain. The most frequently used services such as NS, A and M X are explained individually below.

9.1 SOA (Start of Authority)

As briefly mentioned before, these values contain information for name servers that refer to administrative management of a zone and not the actual content. Serial Ascending number which can be used to determine whether a zone file has been modified or not. If this version number is not increased after modifying the zone no queried secondary name servers accept the modification made as they assume that the zone has not been changed. The interval of time (normally 8 hours) after which a secondary NS must check with the primary NS to verify that the cached data is still up to date. Should the primary NS not be available for a refresh a secondary NS will again attempt to carry out a zone transfer (AXFR) after expiry of this interval of time. If, after the expiry of this time interval, no refresh can be carried out the zone is declared expired. The result of this is that the NS for this zone no longer provides an authoritative response. The TTL (Time To Live) specifies how long a non-authoritative NS server is allowed to cache this zone without making a query.

Refresh Retry Expiry Minimum TTL

These values are responsible for the speed at which modifications to the data in a domain are propagated worldwide. The SOA records for higher-level (delegated) zones should always be taken into consideration when redelegating a domain to a new name server. The result of this is that the normal service provider e.g. when making modifications to the name server below a top-level domain has only a limited influence on the length of time needed for propagation.

Version 1.0, 01/15/04 1&1 Internet Inc.

9.2 Resource records

NS record Syntax: $domain IN NS $name server. specifies which name servers are authoritative for this domain. It is not possible to determine which name server is the primary and which is the secondary from the order in which the name servers are listed. A record Syntax: $domain IN A $ip specifies which IP is assigned to this domain. This entry doesnt necessarily have to be made; a domain can for example be used only for mail services an A record for this is not necessary. On the other hand, more than one record can be entered for each domain. In this case each IP is returned in round-robin fashion, i.e. a new record for each query. This is of particular importance for large scalable systems. MX record Syntax: $domain IN MX $priority number $mail server. specifies which mail servers are responsible for this domain. This entry is of course also not obligatory, and as with the A record several entries may be made. One special feature are $priority numbers, which provide information to the querying mail server about which mail server should be used first. Only when the mail server with the highest priority is not available is the next entry tried. The priority of $priority numbers rises in opposition to the value of the number, meaning that lower numbers have a higher priority. Another special feature is that only domains may be entered for mail servers. An entry referencing an IP results in an error. C Name Syntax: $domain IN CNAME $target domain. CNAME stands for canonical name and is a redirection to the zone file of the entered target domain. All entries (NS, MX, A) thus apply to this target domain. This is primarily used to make it easier to maintain domains with the same basic data or to assign other domains entered in the same zone the same data as the zone itself. Additional entries IN ?: The IN entry stands for the Internet data class. Still more classes exist, but they are not widely used. The . All domains that do not end with a dot are always automatically extended by the domain name of the zone when the zone file is loaded by a name server.

Version 1.0, 01/15/04 1&1 Internet Inc.

begin zone file $domain ---------------------------------------------... IN NS ns This entry is automatically changed to IN NS ns.$domain. or IN NS 212.100.100.100 becomes IN NS 212.100.100.100 ...

www www.$domain.

end zone file $domain ---------------------------------------------To prevent this behaviour, a . must be placed at the end of a statement. This is particularly important when for example a mail exchange is to be entered that does not lie within the same zone. begin zone file $domain ---------------------------------------------... MX lies in the same zone IN MX mx or IN MX mx.$domain. MX does not lie in the same zone IN MX mx.mailexchange.com. a missing dot here would result in an error this IN MX mx.mailexchange.com becomes IN MX mx.mailexchange.com.$domain. ... end zone file $domain ---------------------------------------------A domain name that already ends in a . is referred to as a fully qualified domain name (FQDN) or fully rooted domain name.

Version 1.0, 01/15/04 1&1 Internet Inc.

9.3. The @ symbol

The @ symbols represents the name of a zone. Because all resource records in a zone file always refer to the last named domain name, this symbol is used for the separation and entry of additional records directly below the zone. begin zone file $domain ---------------------------------------------@ IN SOA ns27.1and1.com. hostmaster.1and1.com. ( 2001100201 ; serial 8H ; refresh 2H ; retry 1W ; expiry 11h6m40s ) ; minimum ns27.1and1.com. ns28.1and1.com. 217.160.232.1 10 mx00.1and1.com. 10 mx00.1and1.com. 217.160.232.1 217.160.232.1 10 mx00.1and1.com. 10 mx01.1and1.com. Is valid for the zone $domain Is valid for the domain www.$domain. Is valid for ftp.$domain. Is valid for the zone $domain.

IN NS IN NS www IN A IN MX IN MX IN A IN A IN MX IN MX

ftp @

end zone file $domain ----------------------------------------------

10. Reverse mapping

There are currently many application (some mail transfer agents, for example) that make it necessary to map not only a domain to an IP, but also to assign an IP to a domain. For this reason the in-addr.arpa domain was introduced, through which an IP is converted into a domain so that it can be resolved with normal DNS logic. The convention for writing a domain of this kind is analogous to the convention for a normal domain: the highest priority value is on the right side. The IP 217.160.232.1 would then become the domain 1.232.160.217.in-addr.arpa.

Version 1.0, 01/15/04 1&1 Internet Inc.

10

Forward mapping and reverse mapping are entries that are completely separated from each other, are not mutually dependent and also dont have to be consistent. It is thus entirely possible for a forward lookup to return an IP that would not necessarily have the originating domain as t he result of a reverse lookup. Above all, it should be noted that each registered name server is responsible for each particular entry. This does not have to be the same, because both identifiers are delegated by independent institutions. For a domain this is the respective registry for the top-level domain (.com: Verisign, .info Afilias), whereas the responsibility for an IP, at least in North America, lies with ARIN (American Registry for Internet Numbers). There is a special resource record not yet mentioned that is used to map this type of domain on a name server: Pointer record Syntax: $in-addr.arpa IN PTR $domain. This entry is used to resolve a normal domain from an IN-ADDR.ARPA domain.

Version 1.0, 01/15/04 1&1 Internet Inc.

11

11. Tools
There are many tools that can be used to get a close look at the configuration of a zone. They make it possible to query the data contained in a zone file (just like a name server), in order to test the response behaviour of the queried NS. Most of these programs can be obtained as freeware or shareware from the Internet or are already installed on network-capable systems. The most popular programs of this kind are currently: Unix Dig Host Nslookup Windows Nslookup Cyberkit Mac DNS Lookup Whatroute? http://www.macosarchives.com/dns_tools.html http://www.mac.org/internet/whatroute/ http://fsck.ch/projects/dns/theory/man_dig.php http://fsck.ch/projects/dns/theory/man_host.php http://fsck.ch/projects/dns/theory/man_nslookup.php http://www.trumphurst.com/dnsocx/nslookup.phtml http://www.cyberkit.net

These programs provide a graphical user interface or, in the case of dig, require the use of the command line.

Version 1.0, 01/15/04 1&1 Internet Inc.

12

12. Special features of gTLD domains

If for your gTLD domain you use your own name server that lies within the same gTLD (e.g. ns.example.info shall be the name server for newdomain.info), there are some special features to be aware of: Each name server must be registered with an IP. Under a com/net domain a registrar may only set up name servers for which he himself is the registrar. A registrar may update only his own name servers: these can however be used by all registrars. The following case leads to an error: You have registered the example.com domain via another registrar and now want to use a name server that has not yet been used below this domain (e.g. ns. example.com): Consequence: Registering or updating the domain cannot be done, because the name server cannot be registered. Solution: Arrange the registration of the name server via the other registrar or change the registrar of affected domains to us. If you use a name server within another top-level domain these problems will not occur, because we can register these without an IP address. (A notable exception applies to .com and .net who are treated like the same top-level domain since both are run by the same registry.)

Version 1.0, 01/15/04 1&1 Internet Inc.

13